Surviving Digg?
eliott
eliott at cactuswax.net
Tue May 6 21:27:00 MSD 2008
On 5/5/08, Grzegorz Nosek <grzegorz.nosek at gmail.com> wrote:
> On Mon, May 05, 2008 at 07:39:56PM -0700, Neil Sheth wrote:
> > Thanks, going through this. To be honest, not something I know much
> > about., but learning.
> >
> > Iptables with conntrack? Looking here:
> > http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
> >
> > I do have entries in my iptables with params like --state NEW . . .
>
>
> Disabling conntrack is especially useful when you want your router to
> survive a DDoS :)
>
> If you have conntrack enabled (state, conn*, helper and probably many
> other matches; also _anything_ in the nat table), every connection eats
> a few bytes of precious (on 32-bit) kernel low memory. The amount of
> memory used is limited but after it is reached, new connections are
> dropped.
>
> If you only use --state NEW, for TCP the match '-p tcp --syn' should be
> equivalent.
Not only that, but if you don't specifically disable connection
tracking, things over the loopback get dumped into the state table by
default. Ugh!
http://cactuswax.net/articles/ip_conntrack-loopback-blues/
More information about the nginx
mailing list